Attribute Lookup in Extension

Christopher Bongaarts cab at
Mon Sep 17 15:25:30 EDT 2018

On 9/17/2018 1:48 PM, Cantor, Scott wrote:
> On 9/17/18, 1:59 PM, "Christopher Bongaarts" <cab at> wrote:
>> One thing I found helpful in understanding this was to examine the
>> existing (system) flows that call a ResolveAttributes action, and
>> compare how different flows invoke it in different ways at different times.
> Certainly one can, but the "major" flows are very complex and hard to follow at first, and in this specific instance, I'm just saying that the interceptors run at a point where all the data has been collected already in the normal way and the usual need is just to access it via the AttributeContext, per the diagram of the tree on the page I referenced.
> That's how they existing ones (expiring-password, context-check, and even attribute-release) get at them.

Most definitely - if you can take care of something using the intercept 
mechanism, your life will be free and easy.

> What you *don’t* want to do is ever wire up copies of our action beans and/or directly copy our flows when the beans reference those impl classes. They're not API and they're all subject to change at any time, and any upgrade could break them.

After migrating to the MFA flow and built-in lockout support, I think 
I'm down to just a handful of tweaks to the system/flows/authn flows 'n' 
beans (mostly to support our local audit log and a legacy auth cookie).  
3.4 has some nice stuff coming that will let me trim down or eliminate 
some of our Java code too.

%%  Christopher A. Bongaarts   %%  cab at          %%
%%  OIT - Identity Management  %%  %%
%%  University of Minnesota    %%  +1 (612) 625-1809    %%

More information about the users mailing list